• Mission & Governance
• Services Overview
• How to Get Involved
• Standing Committees
• NCSL Foundation

• Issue Areas: A-Z
• State-Federal Relations
• NCSL Standing Committees
• News from D.C. and the States

• About State Legislatures
• Elections, Campaigns & Redistricting
• NCSL's StateConnect Directory
• Web Sites

• Online Guide to NCSL Services
• Staff Sections and Networks
• Meetings & Professional Development
• Staff Directories

• Meetings Calendar
• Online Registration
• Meetings Home Page
• Legislative Summit

• Bookstore
• State Legislatures Magazine
• NCSL's StateConnect Directory

Goals for State-Federal Action

Policy:	Financial Information Security
Committee:	Financial Services and Communications, Technology and Interstate Commerce
Type:	Debate

Americans place great value on the right to privacy, and general support for privacy and confidentiality protections has increased as the ability of individuals to seclude personal matters from the sight, presence and intrusion of others has diminished. In the Information Age—where vast quantities of information drive economic activity—familiar and unfamiliar entities continuously gather, solicit, manage and share personally identifiable data, which commonly includes financial records, medical histories, and information on routine consumer transactions. Although much of this information has long been available in pieces, its conversion into electronic form and concentration into massive, centralized information systems has significantly eroded an individual’s ability to condition or control his or her personal information. It also threatens the confidentiality of information by heightening the likelihood that data—if not one’s identity—will be improperly disclosed, stolen or misused with potentially significant economic harm to the individual.

Protecting personal information traditionally has been a state responsibility. All states have laws to safeguard the security of financial information, and state legislatures continue to consider and enact legislation annually to improve and strengthen financial information security. Congress also has enacted laws to protect financial privacy and confidentiality and to ensure the accuracy of financial information. Federal interest and activity in this area has increased with the onset of the Information Age.

Fair Credit Reporting Act (FCRA)

Personal financial information was protected exclusively at the state level until 1970 when Congress enacted the Fair Credit Reporting Act (FCRA). FCRA established minimum federal standards to ensure that consumers could access information about themselves that lenders, insurers, and others obtain from credit bureaus and use to make decisions about providing credit and other services. Amendments to FCRA, enacted in 1996, imposed new responsibilities on credit bureaus and those who use their information to promote increased accuracy and confidentiality of credit reports. The 1996 Amendments also temporarily preempted, with a limited number of grandfathered exceptions, stronger state laws in seven areas. These included prescreening of consumer reports; the timeframe for handling accuracy disputes; duties of persons who take adverse actions and who use consumer reports in connection with credit or insurance transactions initiated by a consumer; information contained in consumer reports; duties of furnishers of information to consumer reporting agencies; and the sharing of information among affiliates.

Congress reauthorized and made permanent the seven areas of state preemption prior to their expiration with the Fair and Accurate Credit Transactions (FACT) Act of 2003 while further enhancing the accuracy of credit reports, providing consumers one free credit report annually, restricting the use of sensitive information from affiliates to market financial products, and establishing several uniform consumer protections to combat identity theft. Although virtually all the federal anti-identity theft protections in the FACT Act were based on state laws, the measure also preempts state laws in each of the areas where it established federal protection.

Gramm-Leach-Bliley

In addition to FCRA, Congress passed significant financial privacy protections with the Gramm-Leach-Bliley Financial Modernization Act (GLBA) of 1999 that applied to a wide range of financial institutions. GLBA required financial institutions to provide notice to its customers on its privacy policies, including how information is disclosed to affiliates and nonaffiliated third parties, and to offer consumers the opportunity to “opt out” of having nonpublic personal information shared with nonaffiliated third parties. Although FCRA continues to preempt state laws that would restrict information sharing among affiliates, GLBA expressly permits states to exceed the federal standards for nonaffiliated third parties. GLBA also required states to establish minimum privacy protections for the insurance consumers—a requirement that states promptly met.

Financial Information Security

The National Conference of State Legislatures (NCSL) believes that states should continue to play a vital role in protecting the privacy, confidentiality and security of sensitive nonpublic personal financial information. States long have sought to balance the economic value of information sharing with reasonable safeguards against the unnecessary disclosure and inappropriate acquisition of sensitive nonpublic personal financial information, such as credit information, account numbers, account balances, and Social Security numbers. Understanding local and regional economic situations and the unique needs of consumers within these markets, states consistently have ensured the protection of sensitive non-public personal financial information.

State legislatures recognize that financial information security is an area of overlapping federal and state jurisdiction. Therefore, NCSL does not oppose federal baseline standards for the protection of financial information, provided that these standards generally do not preempt complementary state laws. NCSL believes that states should have the authority and flexibility to adopt standards for the acquisition, retention, disclosure and sharing of financial information by and among financial institutions and nonaffiliated third parties that address local concerns or respond in a timely way to incidences of neglect or abuse that may be local or regional in nature. NCSL specifically believes that Congress should preserve state authority to exceed federal baseline standards for information sharing among nonaffiliated third parties.

Credit Reporting

NCSL acknowledges the benefit of a uniform national credit reporting system to the nation's economy. Therefore, NCSL does not oppose the seven limited areas that were subject to federal preemption by the 1996 Amendments of the FCRA and made permanent by the FACT Act. In doing so, NCSL supports the continued exemption of the state laws that were in existence prior to the 1996 Amendments and thus are currently exempted from the preemption provisions.

Data Security Breach Disclosure

Following a series of high-profile financial data security breaches, Congress is considering a range of measures to establish additional federal protections for financial data and to guard against identity theft and account fraud. Federal interest comes on the heels of laws passed in many states that require institutions to notify affected consumers following a data security breach. In fact, many of the reported breaches only came to light following the enactment of a California data breach disclosure law that went into effect in 2003.

Consistent with NCSL’s general policy for safeguarding financial information, NCSL does not oppose baseline federal data security breach notification standards, provided that the requirements do not preempt state authority to adopt standards that provide affected consumers additional protection and notification. NCSL also supports allowing state financial regulators and attorneys general to enforce any new federal data security breach notification standards.

In the event that Congress decides to preempt state law, NCSL urges that the preemption be narrowly construed to preempt only state laws that are inconsistent with the federal standard while preserving state laws that apply to entities that may be excluded from the federal act. Additionally, should Congress decide to preempt state data security breach notification laws, in order to prevent the weakening of consumer protection that exists in over a dozen states, NCSL would support a strong federal law that would require notification of the affected consumers when sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired. In this instance, exceptions should be made only when it is concluded that there is no significant risk that the breach has resulted in, or will result in, harm to the individual whose information has been breached.

Insurance Information Security

In response to the GLBA requirements, state legislatures enacted operationally uniform privacy protections for the nation’s insurance consumers. In their role as the functional regulators of the business of insurance, states have enacted numerous laws and regulations that address the acquisition, retention, disclosure and use of financial information by and among insurance companies. NCSL will oppose any federal effort to preempt these state laws and regulations or to enact federal standards that address the use of financial and credit information in insurance.

 Return to Fall Forum Policies December 2005